Skip to main content

14.8.10 Registering an X.509 Public Key Certificate


14.8.10 Registering an X.509 Public Key Certificate
Use the addvbootcerts command to register an X.509 public key certificate with the XSCF. Execute the addvbootcerts command with a user account that has the platadm or pparadm privilege.
XSCF> addvbootcerts -p ppar_id certname {-F URL | signature}
For ppar_id, specify the destination physical partition. For certname, specify the name of the X.509 public key certificate to be registered. To specify a public key certificate, copy and paste the contents of the public key certificate, or read it from a USB medium or http/https server by specifying the -F option.
The public key certificate is registered with the XSCF as a user's certificate. Up to five public key certificates can be registered.
In the following example, a public key certificate stored in a USB medium is specified.
XSCF> addvbootcerts -p ppar_id certname -F file:///media/usb_msd/file
Note - You can also register an X.509 public key certificate by using XSCF Web.
Note - Register X.509 public key certificates by specifying them one by one. You cannot specify multiple public key certificates at a time.
Note - In cases such as if the data format of the public key certificate to be registered is other than X.509 and if the data is corrupted, the public key certificate cannot be registered with the XSCF. The addvbootcerts command results in an error.
Note - A system default certificate is a public key certificate the XSCF has by default. X.509 public key certificates cannot be registered as system default certificates.
Operation Procedure
  1. Log in to the XSCF.
    For details, see "2.2  Logging In to the XSCF Shell."
  1. Execute the addvbootcerts command to register a user's certificate with the XSCF.
    In the following example, an X.509 public key certificate stored on USB media is added to PPAR-ID 4 under the name "CUSTOM_CERT_2". "y (yes)" is the response to the confirmation message.
XSCF> addvbootcerts -p 4 CUSTOM_CERT_2 -F file:///media/usb_msd/vboot/3rd_perty_cert_xyz
The above elfsign X.509 key certificate will be added to PPAR-ID 4,
Continue?[y|n]:y
.... done.

successfully added this certificate to PPAR-ID 4 as index 2. 
  1. Execute the showvbootcerts command to confirm that the X.509 public key certificate was properly registered with the XSCF.
    In the following example, the detailed information of the X.509 public key certificate registered as index number 2 in PPAR-ID 4 is displayed.
XSCF> showvbootcerts -v -p 4 -u -i 2
--------------------------------------------------------------------------------

PPAR-ID 4 User Index : 2 name : CUSTOM_CERT_2 [Enable]
--------------------------------------------------------------------------------

Data:
  Version: 3 (0x2)
  Serial Number:
    07:ad:b3:06:99:82:39:db:dd:60:41:44:71:be:aa:70
  Signature Algorithm: sha1WithRSAEncryption
  Issuer: C=US, O=Thirdparty Corporation, OU=Thirdparty CA, CN=www.example.com
  Subject: O=Thirdparty Corporation, OU=Thirdparty Signed Execution,
CN=www.example.com
  Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
      Public-Key: (2048 bit)
      Modulus:
        00:de:f0:2c:45:61:7f:10:c7:16:56:a9:14:b4:a4:
        39:44:b9:2f:65:4f:7e:a7:c0:15:89:b0:e2:1d:c0:
        25:4c:a6:31:75:14:a3:c4:cd:11:d2:87:b7:1a:7c:
        b2:0d:41:99:4f:a6:e9:d4:8e:77:55:19:ce:f1:a4:
        3c:cf:00:8d:e6:d1:c6:bc:06:f7:71:85:28:a4:c5:
        e0:8d:b3:e1:62:25:d5:df:93:d2:d9:1c:5b:48:35:
        70:e1:8a:9b:bf:9d:8b:41:b3:be:b6:c0:50:66:3b:
        d8:9d:2f:82:49:11:f7:6d:43:95:6e:ea:bc:57:dc:
        1c:90:6b:7e:8b:e3:0f:89:bd:32:3a:88:50:f0:48:
        d3:98:8c:bc:eb:7f:44:31:2b:86:01:d0:80:4c:a2:
        36:6e:24:47:48:d5:86:8e:86:06:c3:8e:df:5f:fb:
        6b:fe:6a:aa:0c:a8:ca:b6:ed:60:47:ea:8e:5d:63:
        b1:4f:ff:94:00:34:52:82:cf:a6:6a:84:69:4c:26:
        ac:a3:dc:d7:45:eb:7c:4e:fc:fc:92:4a:73:12:9f:
        31:7a:75:b9:de:33:54:34:af:0b:cf:46:c0:ac:2f:
        ec:28:af:0d:f7:c6:50:c0:e7:4c:88:16:13:95:54:
        0e:01:6e:1a:b6:33:bf:20:52:34:f4:69:a6:9e:bf:
        02:95
      Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
    44:65:95:e1:33:a4:ce:d1:c1:02:1a:ce:b3:2c:fa:c0:b2:34:
    4e:12:d0:86:c7:09:23:9d:5b:46:f4:b2:bf:88:8b:5b:5d:d7:
    57:c3:f9:9a:ba:95:bc:ed:4b:29:4b:19:97:ca:6c:bc:e1:44:
    e0:e1:89:a3:ed:bd:29:ad:a7:91:c8:76:ea:62:d2:2c:e3:ff:
    50:01:0a:3b:5a:28:53:38:53:82:ea:de:bc:24:84:bc:31:63:
    ab:b2:10:81:81:73:f4:02:46:5f:2d:6d:22:b0:af:d7:70:c0:
    db:de:ea:b9:23:87:3c:19:ef:c0:24:de:05:77:eb:89:d2:36:
    d0:85:8a:ed:d1:7f:12:b0:58:5f:f5:53:f1:db:0b:44:53:a0:
    72:8c:1a:e6:4a:fd:e8:8e:f8:ee:9e:7e:4e:85:59:42:44:fa:
    1f:d3:70:4f:81:95:8e:a9:0f:83:49:a2:b0:fd:5b:f4:2d:5e:
    86:ef:f3:56:b3:31:f3:58:3a:37:42:bb:39:c4:c1:b5:8c:e9:
    b4:01:d2:2e:e8:7d:86:1a:66:88:34:1e:e5:36:ee:6d:6c:90:
    78:45:a0:5b:a9:50:84:62:a8:88:ee:a6:70:fa:7c:ad:81:b7:
    89:f1:d6:64:94:c4:17:69:c8:35:81:b2:f3:79:ad:a2:5a:a0:
    02:28:a9:7f
--------------------------------------------------------------------------------

  1. Execute the exit command to log out from the XSCF shell.
    If you do not have any further work with the XSCF shell, log out from the XSCF. To proceed to configuring another setting, go to the relevant step.
Note - If the information of an X.509 public key certificate is corrupted because of an unexpected operation, the public key certificate may be required by the XSCF. Ensure that public key certificates are safely stored for recovery.